IPSEC error message, what does this mean??

Unanswered Question
May 27th, 2008
User Badges:

Hello All,

I have a complex design using IPSec tunnels to connect remote users. The IPSec tunnels to the devices work, however occasionally they drop. When the IPSec tunnels drop I seem to be getting the follow error being logged with ISAKMP and IPSec debugging turned on. I can find no reference to it anywhere on the Cisco Site. The error reads:

ISAKMP: Trying to decrement ipsec count below 0

This is logged a few times then I see:

ISAKMP:(0:4:SW:1):deleting SA reason "Death by retransmission throw" state (R) QM_IDLE (peer xx.xx.xx.xx)

Which I suspect is where the IPSec link is getting reset.

Can anyone explain to me what this means, and/or why this is happening?

I can't post configs etc. as this is relating to a military installation.

Thanks for any advice.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
nickgreen Mon, 06/02/2008 - 06:30
User Badges:

Thank you for the response, however it doesn't really help as when I go into the bug toolkit I receive the following message :

CSCeg44021 has been superseded by CSCeb03160 displayed below.

CSCeb03160 Bug Details

Information contained within bug ID CSCeb03160 is only available to Cisco employees. It is our policy to make all externally-facing bugs available in Bug Toolkit so the system administrators have been automatically alerted to the problem.

We are not using Cisco VPN clients but have windows devices configured to use local IP policies using secpol.msc. The IPSec tunnels to devices set up and run ok, however they drop out as a group (those using the same map) after a period of time. The only errors seen in the error log which seem to be relevant are those that I've previously listed. The Cisco (home) end of the tunnels is a 2811 running IOS 12.4 advanced IP services. A loopback address is used for the IPSec tunnel endpoint as each site is connected via GRE tunnels to a site 2811. The far end (site) router is not configured for IPSec, and the secured traffic passes to the devices attached to the LAN beyond this router.

I have a total of 24 IPsec tunnels defined, as groups of four over six sites. Each group of far-end devices share a pre-shared key, ACLs and mapping information.

Any further information/assistance would be appreciated, as I am still non the wiser as to what the decrement error means.


This Discussion